In a data center, service systems of different users all have their own infrastructures such as computers and networks, and the infrastructures of the different service systems are independent from each other. Therefore, information isolation between the service systems can be ensured by means of network physical isolation, so as to avoid information leakage of the service systems. For example, a computer and a network of a financial system are isolated from those of other service systems, thereby ensuring that users in the other service systems cannot steal data in the financial system via the network.
Virtualization refers to that computer elements are run on a virtual basis rather than an actual basis. In a central processing unit (CPU) virtualization technology, a single CPU may simulate multiple CPUs running in parallel, one platform is allowed to run multiple operation systems, and applications can be run in mutually independent spaces without interference with each other, thereby significantly improving working efficiency of a computer. Due to the advantage of virtualization technologies in improving working efficiency, the applying the virtualization technologies to the data center becomes a research hotspot of the prior art. However, after virtualization of the data center, a machine for running user services is no longer a physical computer but a virtual machine (VM) installed in the physical computer, different virtual machines belonging to different tenants may be run in the same physical host, and different service systems formed of virtual machines share the same network infrastructure. In this case, it is difficult to implement isolation of the information systems. For example, if a financial system and a research and development (R&D) system use different virtual machines, but the different virtual machines are run in the same physical host or in the same network, a user may steal the data in the financial system by means of address fraud, network interception, or the like through the virtual machine in the R&D system. Therefore, when different tenants share the physical infrastructure, how to divide the virtual machines into different virtual networks across a physical boundary and ensure information isolation between the virtual networks becomes a basic requirement in ensuring security for multiple tenants in the virtualized data center.
In the prior art, to ensure information isolation between virtual networks, generally, network traffic of the virtual machine is enabled to pass through a switch, that is, all traffic generated by the virtual machine in the physical host is sent to the switch outside the physical host, filtering control processing is performed on the traffic by the switch, and the switch performs processing on the traffic from the virtual machine like processing traffic of an ordinary host, thereby isolating the virtual machine using an existing virtual local area network (VLAN) technology.
However, in the prior art, all traffic for communication between the virtual machines is conducted to the switch for processing, which greatly aggravates the burden of the switch.